Intelligence Has Nothing To Do With Whether You Get Phished Or Not

There is a common misperception that only the dumb or gullible fall for social engineering and phishing scams.

It is not true. Anyone can fall for social engineering or phishing. It only takes the right scenario, circumstances, and lack of awareness of the particular scam. I have personally known many doctors, lawyers, financial experts, and scientists who have fallen for scams. I have ?read about a Nobel Prize Physics winner who understood quantum physics yet lost a million dollars to a scam.

Intelligence has little to do with whether you will fall for a particular scam.

I was reminded of this reading about a former White House scientist who was scammed out of over half a million dollars (https://www.msn.com/en-us/news/us/a-former-white-house-scientist-was-scammed-out-of-655-000-then-came-the-irs/ar-AA1lukXy ). If you read about the scam, because you are a person who follows social engineering scams (as evidenced by you reading this article), you are likely screaming inside, “How can you fall for such nonsense?!”

?The scam seems so obvious to us. You are thinking, “How could she fall for it?”

The biggest reason was that she was unaware of the signs and symptoms of social engineering scams. In this particular case, she was looking for specific information, probably using Google, when one of those fake antivirus warnings popped up on your screen. It seemed official to her. She obviously did not know that fake antivirus warnings are super common. When she called the number on the screen and was told that a Microsoft technician was helping her, she was likely relieved to get what she thought was qualified, professional help. She did not know that getting help from Microsoft is never so easy or quick.

She then ignored at least half a dozen other, what we think as “obvious” signs of fraud, including the fraudster telling her to deny anyone asking her to move money if asked by banking officials and for the fraudster saying he wanted to stay live on her phone while she withdrew the money.

“How could she possibly think these were legitimate asks?”, you are thinking.

The answer is she simply did not know. She was not aware.

That is why we call the education we recommend, security awareness training (abbreviated as SAT).

Regular computer training, even regular computer security training, simply tries to teach you a specific skill. For example, how to use a spreadsheet or how to configure firewall rules. It is aligned toward teaching a specific action.

SAT tries to teach users how to recognize social engineering and phishing scams no matter what they look like or how they arrive (e.g., email, web, social media, phone call, SMS message, etc.). And it does so by sharing example after example of common social engineering and phishing scams. Good SAT has both components: training and multiple examples.

SAT attempts to teach users how to recognize social engineering and phishing scams, and how to defeat and appropriately report them. For example, we teach that most social engineering and phishing scams begin with the following two traits: 1) It arrives unexpectedly, and 2) Is asking you to do something you have never done before (at least for that requestor).

Any message, no matter how it arrives, that has those two traits is at far higher risk of being malicious than a message without those traits, and must be further researched before performing the requested action. And on top of that general recognition skill, SAT gives examples of common attacks. Examples and examples of common types of attacks. Month-after-month, if not week-after-week, you give lots of examples. You are trying to cover the most likely attack examples along with showing how those two high-risk traits may look.

Anyone can be successfully socially engineered and phished. Anyone! The smartest, most skeptical people in the world can be successfully phished. I have had friends and people, upon learning that I work for the world’s largest SAT vendor, tell me that they cannot be phished. In every case where they invited me to phish them, and I agreed, I have successfully phished them. Never have I not been successful.

I have been successfully (simulated) phished myself. More than once. Turns out there was a particular subject that when I read about it, it angered me into clicking on the associated link. The subject triggered me, and I clicked on it without thinking. Another time, I was playing hooky from work, doing a personal errand, stuck in traffic, and made a wrong turn that added another 30 minutes to my drive. I got a meeting request from my boss for a meeting tomorrow and I clicked “Yes” to accept it. Boom! It was another simulated phishing test I failed. I know the signs of social engineering and phishing. I teach them! But it was just the right subject that triggered me or timing that made me succumb to a phishing test I am sure I would not have fallen for in any other circumstance.

If you think you cannot be successfully phished, it is not the strength you think it is. If you think that only the gullible and below average intelligence people get phished, you are in for a rude surprise. Anyone can be susceptible to social engineering and phishing attacks. It just takes the right subject or circumstances.

And that is why everyone needs good SAT. Training should be at least monthly and simulated phishing tests should be monthly to weekly. The more frequent the training and simulated phishing tests, the better. We have the data to prove it (https://www.knowbe4.com/press/knowbe4-analysis-finds-security-awareness-training-and-simulated-phishing-effective-in-reducing-cybersecurity-risk ). SAT is something we all need, whether we are dumb or amazingly super brilliant. And you would be smart to heed this advice.